OpenVPN
tls_crypt.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2016-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23
24#ifdef HAVE_CONFIG_H
25#include "config.h"
26#endif
27
28#include "syshead.h"
29
30#include "argv.h"
31#include "base64.h"
32#include "crypto.h"
33#include "platform.h"
34#include "run_command.h"
35#include "session_id.h"
36#include "ssl.h"
37
38#include "tls_crypt.h"
39
40const char *tls_crypt_v2_cli_pem_name = "OpenVPN tls-crypt-v2 client key";
41const char *tls_crypt_v2_srv_pem_name = "OpenVPN tls-crypt-v2 server key";
42
44static const uint8_t TLS_CRYPT_METADATA_TYPE_USER = 0x00;
46static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP = 0x01;
47
48static struct key_type
49tls_crypt_kt(void)
50{
51 return create_kt("AES-256-CTR", "SHA256", "tls-crypt");
52}
53
54int
59
60void
61tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata,
62 const char *key_file, bool key_inline, bool tls_server)
63{
64 const int key_direction = tls_server ?
65 KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
66 struct key_type kt = tls_crypt_kt();
67 if (!kt.cipher || !kt.digest)
68 {
69 msg(M_FATAL, "ERROR: --tls-crypt not supported");
70 }
71 crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction,
72 "Control Channel Encryption", "tls-crypt", keydata);
73}
74
78static void
79xor_key2(struct key2 *key, const struct key2 *other)
80{
81 ASSERT(key->n == 2 && other->n == 2);
82 for (int k = 0; k < 2; k++)
83 {
84 for (int j = 0; j < MAX_CIPHER_KEY_LENGTH; j++)
85 {
86 key->keys[k].cipher[j] = key->keys[k].cipher[j] ^ other->keys[k].cipher[j];
87 }
88
89 for (int j = 0; j < MAX_HMAC_KEY_LENGTH; j++)
90 {
91 key->keys[k].hmac[j] = key->keys[k].hmac[j] ^ other->keys[k].hmac[j];
92 }
93
94 }
95}
96
97bool
98tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session)
99{
100 struct key2 rengokeys;
101 if (!key_state_export_keying_material(session, EXPORT_DYNAMIC_TLS_CRYPT_LABEL,
102 strlen(EXPORT_DYNAMIC_TLS_CRYPT_LABEL),
103 rengokeys.keys, sizeof(rengokeys.keys)))
104 {
105 return false;
106 }
107 rengokeys.n = 2;
108
109 session->tls_wrap_reneg.opt = session->tls_wrap.opt;
110 session->tls_wrap_reneg.mode = TLS_WRAP_CRYPT;
111 session->tls_wrap_reneg.cleanup_key_ctx = true;
112 session->tls_wrap_reneg.work = alloc_buf(BUF_SIZE(&session->opt->frame));
113 session->tls_wrap_reneg.opt.pid_persist = NULL;
114
115 packet_id_init(&session->tls_wrap_reneg.opt.packet_id,
116 session->opt->replay_window,
117 session->opt->replay_time,
118 "TLS_WRAP_RENEG", session->key_id);
119
120 if (session->tls_wrap.mode == TLS_WRAP_CRYPT
121 || session->tls_wrap.mode == TLS_WRAP_AUTH)
122 {
123 xor_key2(&rengokeys, &session->tls_wrap.original_wrap_keydata);
124 }
125
126 const int key_direction = session->opt->server ?
127 KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
128
129 struct key_direction_state kds;
130 key_direction_state_init(&kds, key_direction);
131
132 struct key_type kt = tls_crypt_kt();
133
134 init_key_ctx_bi(&session->tls_wrap_reneg.opt.key_ctx_bi, &rengokeys, key_direction,
135 &kt, "dynamic tls-crypt");
136 secure_memzero(&rengokeys, sizeof(rengokeys));
137
138 return true;
139}
140
141
142bool
143tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
144 struct crypto_options *opt)
145{
146 const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt;
147 struct gc_arena gc;
148
149 /* IV, packet-ID and implicit IV required for this mode. */
150 ASSERT(ctx->cipher);
151 ASSERT(ctx->hmac);
152 ASSERT(packet_id_initialized(&opt->packet_id));
153 ASSERT(hmac_ctx_size(ctx->hmac) == 256/8);
154
155 gc_init(&gc);
156
157 dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP FROM: %s",
158 format_hex(BPTR(src), BLEN(src), 80, &gc));
159
160 /* Get packet ID */
161 if (!packet_id_write(&opt->packet_id.send, dst, true, false))
162 {
163 msg(D_CRYPT_ERRORS, "TLS-CRYPT ERROR: packet ID roll over.");
164 goto err;
165 }
166
167 dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s",
168 format_hex(BPTR(dst), BLEN(dst), 0, &gc));
169
170 /* Buffer overflow check */
171 if (!buf_safe(dst, BLEN(src) + TLS_CRYPT_BLOCK_SIZE + TLS_CRYPT_TAG_SIZE))
172 {
173 msg(D_CRYPT_ERRORS, "TLS-CRYPT WRAP: buffer size error, "
174 "sc=%d so=%d sl=%d dc=%d do=%d dl=%d", src->capacity, src->offset,
175 src->len, dst->capacity, dst->offset, dst->len);
176 goto err;
177 }
178
179 /* Calculate auth tag and synthetic IV */
180 {
181 uint8_t *tag = NULL;
182 hmac_ctx_reset(ctx->hmac);
183 hmac_ctx_update(ctx->hmac, BPTR(dst), BLEN(dst));
184 hmac_ctx_update(ctx->hmac, BPTR(src), BLEN(src));
185
186 ASSERT(tag = buf_write_alloc(dst, TLS_CRYPT_TAG_SIZE));
187 hmac_ctx_final(ctx->hmac, tag);
188
189 dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TAG: %s",
190 format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, &gc));
191
192 /* Use the 128 most significant bits of the tag as IV */
193 ASSERT(cipher_ctx_reset(ctx->cipher, tag));
194 }
195
196 /* Encrypt src */
197 {
198 int outlen = 0;
199 ASSERT(cipher_ctx_update(ctx->cipher, BEND(dst), &outlen,
200 BPTR(src), BLEN(src)));
201 ASSERT(buf_inc_len(dst, outlen));
202 ASSERT(cipher_ctx_final(ctx->cipher, BPTR(dst), &outlen));
203 ASSERT(buf_inc_len(dst, outlen));
204 }
205
206 dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TO: %s",
207 format_hex(BPTR(dst), BLEN(dst), 80, &gc));
208
209 gc_free(&gc);
210 return true;
211
212err:
213 crypto_clear_error();
214 dst->len = 0;
215 gc_free(&gc);
216 return false;
217}
218
219bool
220tls_crypt_unwrap(const struct buffer *src, struct buffer *dst,
221 struct crypto_options *opt)
222{
223 static const char error_prefix[] = "tls-crypt unwrap error";
224 const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt;
225 struct gc_arena gc;
226
227 gc_init(&gc);
228
229 ASSERT(opt);
230 ASSERT(src->len > 0);
231 ASSERT(ctx->cipher);
232 ASSERT(packet_id_initialized(&opt->packet_id)
233 || (opt->flags & CO_IGNORE_PACKET_ID));
234
235 dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP FROM: %s",
236 format_hex(BPTR(src), BLEN(src), 80, &gc));
237
238 if (buf_len(src) < TLS_CRYPT_OFF_CT)
239 {
240 CRYPT_ERROR("packet too short");
241 }
242
243 /* Decrypt cipher text */
244 {
245 int outlen = 0;
246
247 /* Buffer overflow check (should never fail) */
248 if (!buf_safe(dst, BLEN(src) - TLS_CRYPT_OFF_CT + TLS_CRYPT_BLOCK_SIZE))
249 {
250 CRYPT_ERROR("potential buffer overflow");
251 }
252
253 if (!cipher_ctx_reset(ctx->cipher, BPTR(src) + TLS_CRYPT_OFF_TAG))
254 {
255 CRYPT_ERROR("cipher reset failed");
256 }
257 if (!cipher_ctx_update(ctx->cipher, BPTR(dst), &outlen,
258 BPTR(src) + TLS_CRYPT_OFF_CT, BLEN(src) - TLS_CRYPT_OFF_CT))
259 {
260 CRYPT_ERROR("cipher update failed");
261 }
262 ASSERT(buf_inc_len(dst, outlen));
263 if (!cipher_ctx_final(ctx->cipher, BPTR(dst), &outlen))
264 {
265 CRYPT_ERROR("cipher final failed");
266 }
267 ASSERT(buf_inc_len(dst, outlen));
268 }
269
270 /* Check authentication */
271 {
272 const uint8_t *tag = BPTR(src) + TLS_CRYPT_OFF_TAG;
273 uint8_t tag_check[TLS_CRYPT_TAG_SIZE] = { 0 };
274
275 dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP AD: %s",
276 format_hex(BPTR(src), TLS_CRYPT_OFF_TAG, 0, &gc));
277 dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP TO: %s",
278 format_hex(BPTR(dst), BLEN(dst), 80, &gc));
279
280 hmac_ctx_reset(ctx->hmac);
281 hmac_ctx_update(ctx->hmac, BPTR(src), TLS_CRYPT_OFF_TAG);
282 hmac_ctx_update(ctx->hmac, BPTR(dst), BLEN(dst));
283 hmac_ctx_final(ctx->hmac, tag_check);
284
285 if (memcmp_constant_time(tag, tag_check, sizeof(tag_check)))
286 {
287 dmsg(D_CRYPTO_DEBUG, "tag : %s",
288 format_hex(tag, sizeof(tag_check), 0, &gc));
289 dmsg(D_CRYPTO_DEBUG, "tag_check: %s",
290 format_hex(tag_check, sizeof(tag_check), 0, &gc));
291 CRYPT_ERROR("packet authentication failed");
292 }
293 }
294
295 /* Check replay */
296 if (!(opt->flags & CO_IGNORE_PACKET_ID))
297 {
298 struct packet_id_net pin;
299 struct buffer tmp = *src;
300 ASSERT(buf_advance(&tmp, TLS_CRYPT_OFF_PID));
301 ASSERT(packet_id_read(&pin, &tmp, true));
302 if (!crypto_check_replay(opt, &pin, 0, error_prefix, &gc))
303 {
304 CRYPT_ERROR("packet replay");
305 }
306 }
307
308 gc_free(&gc);
309 return true;
310
311error_exit:
312 crypto_clear_error();
313 dst->len = 0;
314 gc_free(&gc);
315 return false;
316}
317
318static inline void
319tls_crypt_v2_load_client_key(struct key_ctx_bi *key, const struct key2 *key2,
320 bool tls_server)
321{
322 const int key_direction = tls_server ?
323 KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
324 struct key_type kt = tls_crypt_kt();
325 if (!kt.cipher || !kt.digest)
326 {
327 msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported");
328 }
329 init_key_ctx_bi(key, key2, key_direction, &kt,
330 "Control Channel Encryption");
331}
332
333void
334tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key,
335 struct buffer *wkc_buf, const char *key_file,
336 bool key_inline)
337{
338 struct buffer client_key = alloc_buf(TLS_CRYPT_V2_CLIENT_KEY_LEN
339 + TLS_CRYPT_V2_MAX_WKC_LEN);
340
341 if (!read_pem_key_file(&client_key, tls_crypt_v2_cli_pem_name,
342 key_file, key_inline))
343 {
344 msg(M_FATAL, "ERROR: invalid tls-crypt-v2 client key format");
345 }
346
347 struct key2 key2 = { .n = 2 };
348 if (!buf_read(&client_key, &key2.keys, sizeof(key2.keys)))
349 {
350 msg(M_FATAL, "ERROR: not enough data in tls-crypt-v2 client key");
351 }
352
353 tls_crypt_v2_load_client_key(key, &key2, false);
354 *original_key = key2;
355
356 *wkc_buf = client_key;
357}
358
359void
360tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt,
361 const char *key_file, bool key_inline)
362{
363 struct key srv_key;
364 struct buffer srv_key_buf;
365
366 buf_set_write(&srv_key_buf, (void *)&srv_key, sizeof(srv_key));
367 if (!read_pem_key_file(&srv_key_buf, tls_crypt_v2_srv_pem_name,
368 key_file, key_inline))
369 {
370 msg(M_FATAL, "ERROR: invalid tls-crypt-v2 server key format");
371 }
372
373 struct key_type kt = tls_crypt_kt();
374 if (!kt.cipher || !kt.digest)
375 {
376 msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported");
377 }
378 struct key_parameters srv_key_params;
379
380 key_parameters_from_key(&srv_key_params, &srv_key);
381
382 init_key_ctx(key_ctx, &srv_key_params, &kt, encrypt, "tls-crypt-v2 server key");
383 secure_memzero(&srv_key, sizeof(srv_key));
384}
385
386static bool
387tls_crypt_v2_wrap_client_key(struct buffer *wkc,
388 const struct key2 *src_key,
389 const struct buffer *src_metadata,
390 struct key_ctx *server_key, struct gc_arena *gc)
391{
392 cipher_ctx_t *cipher_ctx = server_key->cipher;
393 struct buffer work = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN
394 + cipher_ctx_block_size(cipher_ctx), gc);
395
396 /* Calculate auth tag and synthetic IV */
397 uint8_t *tag = buf_write_alloc(&work, TLS_CRYPT_TAG_SIZE);
398 if (!tag)
399 {
400 msg(M_WARN, "ERROR: could not write tag");
401 return false;
402 }
403 uint16_t net_len = htons(sizeof(src_key->keys) + BLEN(src_metadata)
404 + TLS_CRYPT_V2_TAG_SIZE + sizeof(uint16_t));
405 hmac_ctx_t *hmac_ctx = server_key->hmac;
406 hmac_ctx_reset(hmac_ctx);
407 hmac_ctx_update(hmac_ctx, (void *)&net_len, sizeof(net_len));
408 hmac_ctx_update(hmac_ctx, (void *)src_key->keys, sizeof(src_key->keys));
409 hmac_ctx_update(hmac_ctx, BPTR(src_metadata), BLEN(src_metadata));
410 hmac_ctx_final(hmac_ctx, tag);
411
412 dmsg(D_CRYPTO_DEBUG, "TLS-CRYPT WRAP TAG: %s",
413 format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, gc));
414
415 /* Use the 128 most significant bits of the tag as IV */
416 ASSERT(cipher_ctx_reset(cipher_ctx, tag));
417
418 /* Overflow check (OpenSSL requires an extra block in the dst buffer) */
419 if (buf_forward_capacity(&work) < (sizeof(src_key->keys)
420 + BLEN(src_metadata)
421 + sizeof(net_len)
422 + cipher_ctx_block_size(cipher_ctx)))
423 {
424 msg(M_WARN, "ERROR: could not crypt: insufficient space in dst");
425 return false;
426 }
427
428 /* Encrypt */
429 int outlen = 0;
430 ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen,
431 (void *)src_key->keys, sizeof(src_key->keys)));
432 ASSERT(buf_inc_len(&work, outlen));
433 ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen,
434 BPTR(src_metadata), BLEN(src_metadata)));
435 ASSERT(buf_inc_len(&work, outlen));
436 ASSERT(cipher_ctx_final(cipher_ctx, BEND(&work), &outlen));
437 ASSERT(buf_inc_len(&work, outlen));
438 ASSERT(buf_write(&work, &net_len, sizeof(net_len)));
439
440 return buf_copy(wkc, &work);
441}
442
443static bool
444tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata,
445 struct buffer wrapped_client_key,
446 struct key_ctx *server_key)
447{
448 const char *error_prefix = __func__;
449 bool ret = false;
450 struct gc_arena gc = gc_new();
451 /* The crypto API requires one extra cipher block of buffer head room when
452 * decrypting, which nicely matches the tag size of WKc. So
453 * TLS_CRYPT_V2_MAX_WKC_LEN is always large enough for the plaintext. */
454 uint8_t plaintext_buf_data[TLS_CRYPT_V2_MAX_WKC_LEN] = { 0 };
455 struct buffer plaintext = { 0 };
456
457 dmsg(D_TLS_DEBUG_MED, "%s: unwrapping client key (len=%d): %s", __func__,
458 BLEN(&wrapped_client_key), format_hex(BPTR(&wrapped_client_key),
459 BLEN(&wrapped_client_key),
460 0, &gc));
461
462 if (TLS_CRYPT_V2_MAX_WKC_LEN < BLEN(&wrapped_client_key))
463 {
464 CRYPT_ERROR("wrapped client key too big");
465 }
466
467 /* Decrypt client key and metadata */
468 uint16_t net_len = 0;
469 const uint8_t *tag = BPTR(&wrapped_client_key);
470
471 if (BLEN(&wrapped_client_key) < sizeof(net_len))
472 {
473 CRYPT_ERROR("failed to read length");
474 }
475 memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len),
476 sizeof(net_len));
477
478 if (ntohs(net_len) != BLEN(&wrapped_client_key))
479 {
480 dmsg(D_TLS_DEBUG_LOW, "%s: net_len=%u, BLEN=%i", __func__,
481 ntohs(net_len), BLEN(&wrapped_client_key));
482 CRYPT_ERROR("invalid length");
483 }
484
485 buf_inc_len(&wrapped_client_key, -(int)sizeof(net_len));
486
487 if (!buf_advance(&wrapped_client_key, TLS_CRYPT_TAG_SIZE))
488 {
489 CRYPT_ERROR("failed to read tag");
490 }
491
492 if (!cipher_ctx_reset(server_key->cipher, tag))
493 {
494 CRYPT_ERROR("failed to initialize IV");
495 }
496 buf_set_write(&plaintext, plaintext_buf_data, sizeof(plaintext_buf_data));
497 int outlen = 0;
498 if (!cipher_ctx_update(server_key->cipher, BPTR(&plaintext), &outlen,
499 BPTR(&wrapped_client_key),
500 BLEN(&wrapped_client_key)))
501 {
502 CRYPT_ERROR("could not decrypt client key");
503 }
504 ASSERT(buf_inc_len(&plaintext, outlen));
505
506 if (!cipher_ctx_final(server_key->cipher, BEND(&plaintext), &outlen))
507 {
508 CRYPT_ERROR("cipher final failed");
509 }
510 ASSERT(buf_inc_len(&plaintext, outlen));
511
512 /* Check authentication */
513 uint8_t tag_check[TLS_CRYPT_TAG_SIZE] = { 0 };
514 hmac_ctx_reset(server_key->hmac);
515 hmac_ctx_update(server_key->hmac, (void *)&net_len, sizeof(net_len));
516 hmac_ctx_update(server_key->hmac, BPTR(&plaintext),
517 BLEN(&plaintext));
518 hmac_ctx_final(server_key->hmac, tag_check);
519
520 if (memcmp_constant_time(tag, tag_check, sizeof(tag_check)))
521 {
522 dmsg(D_CRYPTO_DEBUG, "tag : %s",
523 format_hex(tag, sizeof(tag_check), 0, &gc));
524 dmsg(D_CRYPTO_DEBUG, "tag_check: %s",
525 format_hex(tag_check, sizeof(tag_check), 0, &gc));
526 CRYPT_ERROR("client key authentication error");
527 msg(D_TLS_DEBUG_LOW, "This might be a client-key that was generated for "
528 "a different tls-crypt-v2 server key)");
529 }
530
531 if (buf_len(&plaintext) < sizeof(client_key->keys))
532 {
533 CRYPT_ERROR("failed to read client key");
534 }
535 memcpy(&client_key->keys, BPTR(&plaintext), sizeof(client_key->keys));
536 ASSERT(buf_advance(&plaintext, sizeof(client_key->keys)));
537 client_key->n = 2;
538
539 if (!buf_copy(metadata, &plaintext))
540 {
541 CRYPT_ERROR("metadata too large for supplied buffer");
542 }
543
544 ret = true;
545error_exit:
546 if (!ret)
547 {
548 secure_memzero(client_key, sizeof(*client_key));
549 }
550 buf_clear(&plaintext);
551 gc_free(&gc);
552 return ret;
553}
554
555static bool
556tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx,
557 const struct tls_options *opt)
558{
559 bool ret = false;
560 struct gc_arena gc = gc_new();
561 const char *tmp_file = NULL;
562 struct buffer metadata = ctx->tls_crypt_v2_metadata;
563 int metadata_type = buf_read_u8(&metadata);
564 if (metadata_type < 0)
565 {
566 msg(M_WARN, "ERROR: no metadata type");
567 goto cleanup;
568 }
569
570 tmp_file = platform_create_temp_file(opt->tmp_dir, "tls_crypt_v2_metadata_",
571 &gc);
572 if (!tmp_file || !buffer_write_file(tmp_file, &metadata))
573 {
574 msg(M_WARN, "ERROR: could not write metadata to file");
575 goto cleanup;
576 }
577
578 char metadata_type_str[4] = { 0 }; /* Max value: 255 */
579 snprintf(metadata_type_str, sizeof(metadata_type_str),
580 "%i", (uint8_t) metadata_type);
581 struct env_set *es = env_set_create(NULL);
582 setenv_str(es, "script_type", "tls-crypt-v2-verify");
583 setenv_str(es, "metadata_type", metadata_type_str);
584 setenv_str(es, "metadata_file", tmp_file);
585
586 struct argv argv = argv_new();
587 argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script);
588 argv_msg_prefix(D_TLS_DEBUG, &argv, "Executing tls-crypt-v2-verify");
589
590 ret = openvpn_run_script(&argv, es, 0, "--tls-crypt-v2-verify");
591
592 argv_free(&argv);
593 env_set_destroy(es);
594
595 if (!platform_unlink(tmp_file))
596 {
597 msg(M_WARN, "WARNING: failed to remove temp file '%s", tmp_file);
598 }
599
600 if (ret)
601 {
602 msg(D_HANDSHAKE, "TLS CRYPT V2 VERIFY SCRIPT OK");
603 }
604 else
605 {
606 msg(D_HANDSHAKE, "TLS CRYPT V2 VERIFY SCRIPT ERROR");
607 }
608
609cleanup:
610 gc_free(&gc);
611 return ret;
612}
613
614bool
615tls_crypt_v2_extract_client_key(struct buffer *buf,
616 struct tls_wrap_ctx *ctx,
617 const struct tls_options *opt,
618 bool initial_packet)
619{
620 if (!ctx->tls_crypt_v2_server_key.cipher)
621 {
622 msg(D_TLS_ERRORS,
623 "Client wants tls-crypt-v2, but no server key present.");
624 return false;
625 }
626
627 msg(D_HANDSHAKE, "Control Channel: using tls-crypt-v2 key");
628
629 struct buffer wrapped_client_key = *buf;
630 uint16_t net_len = 0;
631
632 if (BLEN(&wrapped_client_key) < sizeof(net_len))
633 {
634 msg(D_TLS_ERRORS, "Can not read tls-crypt-v2 client key length");
635 return false;
636 }
637 memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len),
638 sizeof(net_len));
639
640 uint16_t wkc_len = ntohs(net_len);
641 if (!buf_advance(&wrapped_client_key, BLEN(&wrapped_client_key) - wkc_len))
642 {
643 msg(D_TLS_ERRORS, "Can not locate tls-crypt-v2 client key");
644 return false;
645 }
646
647 if (!initial_packet)
648 {
649 /* This might be a harmless resend of the packet but it is better to
650 * just ignore the WKC part than trying to setup tls-crypt keys again.
651 *
652 * A CONTROL_WKC_V1 packets has a normal packet part and an appended
653 * wrapped control key. These are authenticated individually. We already
654 * set up tls-crypt with the wrapped key, so we are ignoring this part
655 * of the message but we return the normal packet part as the normal
656 * part of the message might have been corrupted earlier and discarded
657 * and this is resend. So return the normal part of the packet,
658 * basically transforming the CONTROL_WKC_V1 into a normal CONTROL_V1
659 * packet*/
660 msg(D_TLS_ERRORS, "control channel security already setup ignoring "
661 "wrapped key part of packet.");
662
663 /* Remove client key from buffer so tls-crypt code can unwrap message */
664 ASSERT(buf_inc_len(buf, -(BLEN(&wrapped_client_key))));
665 return true;
666 }
667
668 ctx->tls_crypt_v2_metadata = alloc_buf(TLS_CRYPT_V2_MAX_METADATA_LEN);
669 if (!tls_crypt_v2_unwrap_client_key(&ctx->original_wrap_keydata,
670 &ctx->tls_crypt_v2_metadata,
671 wrapped_client_key,
672 &ctx->tls_crypt_v2_server_key))
673 {
674 msg(D_TLS_ERRORS, "Can not unwrap tls-crypt-v2 client key");
675 secure_memzero(&ctx->original_wrap_keydata, sizeof(ctx->original_wrap_keydata));
676 return false;
677 }
678
679 /* Load the decrypted key */
680 ctx->mode = TLS_WRAP_CRYPT;
681 ctx->cleanup_key_ctx = true;
682 ctx->opt.flags |= CO_PACKET_ID_LONG_FORM;
683 memset(&ctx->opt.key_ctx_bi, 0, sizeof(ctx->opt.key_ctx_bi));
684 tls_crypt_v2_load_client_key(&ctx->opt.key_ctx_bi,
685 &ctx->original_wrap_keydata, true);
686
687 /* Remove client key from buffer so tls-crypt code can unwrap message */
688 ASSERT(buf_inc_len(buf, -(BLEN(&wrapped_client_key))));
689
690 if (opt && opt->tls_crypt_v2_verify_script)
691 {
692 return tls_crypt_v2_verify_metadata(ctx, opt);
693 }
694
695 return true;
696}
697
698void
703
704void
705tls_crypt_v2_write_client_key_file(const char *filename,
706 const char *b64_metadata,
707 const char *server_key_file,
708 bool server_key_inline)
709{
710 struct gc_arena gc = gc_new();
711 struct key_ctx server_key = { 0 };
712 struct buffer client_key_pem = { 0 };
713 struct buffer dst = alloc_buf_gc(TLS_CRYPT_V2_CLIENT_KEY_LEN
714 + TLS_CRYPT_V2_MAX_WKC_LEN, &gc);
715 struct key2 client_key = { .n = 2 };
716
717 if (!rand_bytes((void *)client_key.keys, sizeof(client_key.keys)))
718 {
719 msg(M_FATAL, "ERROR: could not generate random key");
720 goto cleanup;
721 }
722 ASSERT(buf_write(&dst, client_key.keys, sizeof(client_key.keys)));
723
724 struct buffer metadata;
725 if (b64_metadata)
726 {
727 size_t b64_length = strlen(b64_metadata);
728 metadata = alloc_buf_gc(OPENVPN_BASE64_DECODED_LENGTH(b64_length) + 1, &gc);
729 ASSERT(buf_write(&metadata, &TLS_CRYPT_METADATA_TYPE_USER, 1));
730 int decoded_len = openvpn_base64_decode(b64_metadata, BEND(&metadata),
731 BCAP(&metadata));
732 if (decoded_len < 0)
733 {
734 msg(M_FATAL, "ERROR: failed to base64 decode provided metadata");
735 goto cleanup;
736 }
737 if (decoded_len > TLS_CRYPT_V2_MAX_METADATA_LEN - 1)
738 {
739 msg(M_FATAL,
740 "ERROR: metadata too long (%d bytes, max %u bytes)",
741 decoded_len, TLS_CRYPT_V2_MAX_METADATA_LEN - 1);
742 goto cleanup;
743 }
744 ASSERT(buf_inc_len(&metadata, decoded_len));
745 }
746 else
747 {
748 metadata = alloc_buf_gc(1 + sizeof(int64_t), &gc);
749 int64_t timestamp = htonll((uint64_t)now);
750 ASSERT(buf_write(&metadata, &TLS_CRYPT_METADATA_TYPE_TIMESTAMP, 1));
751 ASSERT(buf_write(&metadata, &timestamp, sizeof(timestamp)));
752 }
753
754 tls_crypt_v2_init_server_key(&server_key, true, server_key_file,
755 server_key_inline);
756 if (!tls_crypt_v2_wrap_client_key(&dst, &client_key, &metadata, &server_key,
757 &gc))
758 {
759 msg(M_FATAL, "ERROR: could not wrap generated client key");
760 goto cleanup;
761 }
762
763 /* PEM-encode Kc || WKc */
764 if (!crypto_pem_encode(tls_crypt_v2_cli_pem_name, &client_key_pem, &dst,
765 &gc))
766 {
767 msg(M_FATAL, "ERROR: could not PEM-encode client key");
768 goto cleanup;
769 }
770
771 const char *client_file = filename;
772 bool client_inline = false;
773
774 if (!filename || streq(filename, ""))
775 {
776 printf("%.*s\n", BLEN(&client_key_pem), BPTR(&client_key_pem));
777 client_file = (const char *)BPTR(&client_key_pem);
778 client_inline = true;
779 }
780 else if (!buffer_write_file(filename, &client_key_pem))
781 {
782 msg(M_FATAL, "ERROR: could not write client key file");
783 goto cleanup;
784 }
785
786 /* Sanity check: load client key (as "client") */
787 struct key_ctx_bi test_client_key;
788 struct buffer test_wrapped_client_key;
789 struct key2 keydata;
790 msg(D_GENKEY, "Testing client-side key loading...");
791 tls_crypt_v2_init_client_key(&test_client_key, &keydata, &test_wrapped_client_key,
792 client_file, client_inline);
793 free_key_ctx_bi(&test_client_key);
794
795 /* Sanity check: unwrap and load client key (as "server") */
796 struct buffer test_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN,
797 &gc);
798 struct key2 test_client_key2 = { 0 };
799 free_key_ctx(&server_key);
800 tls_crypt_v2_init_server_key(&server_key, false, server_key_file,
801 server_key_inline);
802 msg(D_GENKEY, "Testing server-side key loading...");
803 ASSERT(tls_crypt_v2_unwrap_client_key(&test_client_key2, &test_metadata,
804 test_wrapped_client_key, &server_key));
805 secure_memzero(&test_client_key2, sizeof(test_client_key2));
806 free_buf(&test_wrapped_client_key);
807
808cleanup:
809 secure_memzero(&client_key, sizeof(client_key));
810 free_key_ctx(&server_key);
811 buf_clear(&client_key_pem);
812 buf_clear(&dst);
813
814 gc_free(&gc);
815}
argv_msg_prefix
void argv_msg_prefix(const int msglev, const struct argv *a, const char *prefix)
Similar to argv_msg() but prefixes the messages being written with a given string.
Definition argv.c:260
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:483
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:102
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:88
OPENVPN_BASE64_DECODED_LENGTH
#define OPENVPN_BASE64_DECODED_LENGTH(base64_length)
Compute the maximal number of bytes encoded in a base64 string.
Definition base64.h:42
free_buf
void free_buf(struct buffer *buf)
Definition buffer.c:183
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:162
buffer_write_file
bool buffer_write_file(const char *filename, const struct buffer *buf)
Write buffer contents to file.
Definition buffer.c:300
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:88
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:62
BEND
#define BEND(buf)
Definition buffer.h:125
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition buffer.h:505
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:712
BPTR
#define BPTR(buf)
Definition buffer.h:124
buf_inc_len
static bool buf_inc_len(struct buffer *buf, int inc)
Definition buffer.h:590
gc_init
static void gc_init(struct gc_arena *a)
Definition buffer.h:1012
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition buffer.h:520
buf_set_write
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition buffer.h:331
buf_read
static bool buf_read(struct buffer *src, void *dest, int size)
Definition buffer.h:778
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition buffer.h:618
buf_len
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
buf_forward_capacity
static int buf_forward_capacity(const struct buffer *buf)
Definition buffer.h:541
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
buf_write_alloc
static uint8_t * buf_write_alloc(struct buffer *buf, size_t size)
Definition buffer.h:635
buf_write
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition buffer.h:668
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition buffer.h:790
BLEN
#define BLEN(buf)
Definition buffer.h:127
BCAP
#define BCAP(buf)
Definition buffer.h:130
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1025
key2
#define key2
Definition cert_data.h:82
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1125
init_key_ctx
void init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key, const struct key_type *kt, int enc, const char *prefix)
Definition crypto.c:1015
read_pem_key_file
bool read_pem_key_file(struct buffer *key, const char *pem_name, const char *key_file, bool key_inline)
Read key material from a PEM encoded files into the key structure.
Definition crypto.c:1902
write_pem_key_file
void write_pem_key_file(const char *filename, const char *pem_name)
Generate a server key with enough randomness to fill a key struct and write to file.
Definition crypto.c:1846
key_parameters_from_key
void key_parameters_from_key(struct key_parameters *key_params, const struct key *key)
Converts a struct key representation into a struct key_parameters representation.
Definition crypto.c:1219
init_key_ctx_bi
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition crypto.c:1087
key_direction_state_init
void key_direction_state_init(struct key_direction_state *kds, int key_direction)
Definition crypto.c:1705
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata)
Definition crypto.c:1321
crypto_check_replay
bool crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, uint16_t epoch, const char *error_prefix, struct gc_arena *gc)
Check packet ID for replay, and perform replay administration.
Definition crypto.c:384
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition crypto.c:1106
crypto.h
Data Channel Cryptography Module.
KEY_DIRECTION_NORMAL
#define KEY_DIRECTION_NORMAL
Definition crypto.h:231
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition crypto.h:344
CRYPT_ERROR
#define CRYPT_ERROR(format)
Definition crypto.h:390
CO_IGNORE_PACKET_ID
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition crypto.h:347
memcmp_constant_time
int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
Definition crypto_openssl.c:1346
KEY_DIRECTION_INVERSE
#define KEY_DIRECTION_INVERSE
Definition crypto.h:232
create_kt
static struct key_type create_kt(const char *cipher, const char *md, const char *optname)
Creates and validates an instance of struct key_type with the provided algs.
Definition crypto.h:685
cipher_ctx_update
int cipher_ctx_update(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len)
Updates the given cipher context, encrypting data in the source buffer, and placing any complete bloc...
hmac_ctx_update
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
hmac_ctx_reset
void hmac_ctx_reset(hmac_ctx_t *ctx)
cipher_ctx_block_size
int cipher_ctx_block_size(const cipher_ctx_t *ctx)
Returns the block size of the cipher, in bytes.
hmac_ctx_final
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
hmac_ctx_size
int hmac_ctx_size(hmac_ctx_t *ctx)
MAX_CIPHER_KEY_LENGTH
#define MAX_CIPHER_KEY_LENGTH
Definition crypto_backend.h:178
crypto_clear_error
void crypto_clear_error(void)
Definition crypto_openssl.c:230
rand_bytes
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
Definition crypto_openssl.c:593
MAX_HMAC_KEY_LENGTH
#define MAX_HMAC_KEY_LENGTH
Definition crypto_backend.h:496
cipher_ctx_reset
int cipher_ctx_reset(cipher_ctx_t *ctx, const uint8_t *iv_buf)
Resets the given cipher context, setting the IV to the specified value.
cipher_ctx_final
int cipher_ctx_final(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len)
Pads the final cipher block using PKCS padding, and output to the destination buffer.
crypto_pem_encode
bool crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src, struct gc_arena *gc)
Encode binary data as PEM.
Definition crypto_openssl.c:503
cipher_ctx_t
mbedtls_cipher_context_t cipher_ctx_t
Generic cipher context.
Definition crypto_mbedtls.h:42
hmac_ctx_t
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
Definition crypto_mbedtls.h:48
env_set_destroy
void env_set_destroy(struct env_set *es)
Definition env_set.c:167
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:308
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition env_set.c:157
D_TLS_DEBUG_LOW
#define D_TLS_DEBUG_LOW
Definition errlevel.h:77
D_CRYPTO_DEBUG
#define D_CRYPTO_DEBUG
Definition errlevel.h:148
D_PACKET_CONTENT
#define D_PACKET_CONTENT
Definition errlevel.h:168
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition errlevel.h:157
D_CRYPT_ERRORS
#define D_CRYPT_ERRORS
Definition errlevel.h:58
D_HANDSHAKE
#define D_HANDSHAKE
Definition errlevel.h:72
D_GENKEY
#define D_GENKEY
Definition errlevel.h:79
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:59
D_TLS_DEBUG
#define D_TLS_DEBUG
Definition errlevel.h:165
TLS_CRYPT_V2_MAX_WKC_LEN
#define TLS_CRYPT_V2_MAX_WKC_LEN
Definition tls_crypt.h:97
TLS_CRYPT_BLOCK_SIZE
#define TLS_CRYPT_BLOCK_SIZE
Definition tls_crypt.h:91
tls_crypt_v2_extract_client_key
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt, bool initial_packet)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition tls_crypt.c:615
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, bool key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with --tls-crypt.
Definition tls_crypt.c:61
TLS_CRYPT_TAG_SIZE
#define TLS_CRYPT_TAG_SIZE
Definition tls_crypt.h:89
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition tls_crypt.c:360
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition tls_crypt.c:705
TLS_CRYPT_OFF_PID
#define TLS_CRYPT_OFF_PID
Definition tls_crypt.h:93
tls_crypt_unwrap
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition tls_crypt.c:220
TLS_CRYPT_OFF_TAG
#define TLS_CRYPT_OFF_TAG
Definition tls_crypt.h:94
TLS_CRYPT_OFF_CT
#define TLS_CRYPT_OFF_CT
Definition tls_crypt.h:95
tls_session_generate_dynamic_tls_crypt_key
bool tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session)
Generates a TLS-Crypt key to be used with dynamic tls-crypt using the TLS EKM exporter function.
Definition tls_crypt.c:98
tls_crypt_v2_write_server_key_file
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition tls_crypt.c:699
tls_crypt_buf_overhead
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition tls_crypt.c:55
TLS_CRYPT_V2_CLIENT_KEY_LEN
#define TLS_CRYPT_V2_CLIENT_KEY_LEN
Definition tls_crypt.h:98
tls_crypt_v2_init_client_key
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, struct buffer *wkc_buf, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 client key.
Definition tls_crypt.c:334
tls_crypt_wrap
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition tls_crypt.c:143
TLS_CRYPT_V2_MAX_METADATA_LEN
#define TLS_CRYPT_V2_MAX_METADATA_LEN
Definition tls_crypt.h:101
TLS_CRYPT_V2_TAG_SIZE
#define TLS_CRYPT_V2_TAG_SIZE
Definition tls_crypt.h:100
htonll
#define htonll(x)
Definition integer.h:30
BUF_SIZE
#define BUF_SIZE(f)
Definition mtu.h:172
M_FATAL
#define M_FATAL
Definition error.h:89
dmsg
#define dmsg(flags,...)
Definition error.h:148
msg
#define msg(flags,...)
Definition error.h:144
ASSERT
#define ASSERT(x)
Definition error.h:195
M_WARN
#define M_WARN
Definition error.h:91
streq
#define streq(x, y)
Definition options.h:724
now
time_t now
Definition otime.c:34
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition packet_id.c:96
packet_id_read
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition packet_id.c:323
packet_id_write
bool packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, bool prepend)
Write a packet ID to buf, and update the packet ID state.
Definition packet_id.c:386
packet_id_initialized
static bool packet_id_initialized(const struct packet_id *pid)
Is this struct packet_id initialized?
Definition packet_id.h:275
packet_id_size
static int packet_id_size(bool long_form)
Definition packet_id.h:316
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition platform.c:541
platform_unlink
bool platform_unlink(const char *filename)
Definition platform.c:488
run_command.h
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition run_command.h:87
session_id.h
openvpn_base64_decode
int openvpn_base64_decode(const char *str, void *data, int size)
Definition base64.c:158
ssl.h
Control Channel SSL/Data channel negotiation module.
EXPORT_DYNAMIC_TLS_CRYPT_LABEL
#define EXPORT_DYNAMIC_TLS_CRYPT_LABEL
Definition ssl_backend.h:398
key_state_export_keying_material
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition ssl_openssl.c:156
argv
Definition argv.h:35
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61
buffer::capacity
int capacity
Size in bytes of memory allocated by malloc().
Definition buffer.h:62
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:66
buffer::offset
int offset
Offset in bytes of the actual content within the allocated memory.
Definition buffer.h:64
crypto_options
Security parameter state for processing data channel packets.
Definition crypto.h:292
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition crypto.h:383
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:293
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:330
env_set
Definition env_set.h:42
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
key2
Container for bidirectional cipher and HMAC key material.
Definition crypto.h:239
key2::n
int n
The number of key objects stored in the key2.keys array.
Definition crypto.h:240
key2::keys
struct key keys[2]
Two unidirectional sets of key material.
Definition crypto.h:242
key_ctx_bi
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition crypto.h:279
key_ctx_bi::decrypt
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition crypto.h:282
key_ctx_bi::encrypt
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition crypto.h:280
key_ctx
Container for one set of cipher and/or HMAC contexts.
Definition crypto.h:201
key_ctx::cipher
cipher_ctx_t * cipher
Generic cipher context.
Definition crypto.h:202
key_ctx::hmac
hmac_ctx_t * hmac
Generic HMAC context.
Definition crypto.h:203
key_direction_state
Key ordering of the key2.keys array.
Definition crypto.h:258
key_parameters
internal structure similar to struct key that holds key information but is not represented on wire an...
Definition crypto.h:162
key_type
Definition crypto.h:141
key_type::cipher
const char * cipher
const name of the cipher
Definition crypto.h:142
key_type::digest
const char * digest
Message digest static parameters.
Definition crypto.h:143
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
key::cipher
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
Definition crypto.h:153
key::hmac
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition crypto.h:155
packet_id_net
Data structure for describing the packet id that is received/send to the network.
Definition packet_id.h:192
packet_id::send
struct packet_id_send send
Definition packet_id.h:201
tls_options
Definition ssl_common.h:301
tls_options::tmp_dir
const char * tmp_dir
Definition ssl_common.h:390
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition ssl_common.h:379
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:483
tls_wrap_ctx
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition ssl_common.h:271
tls_wrap_ctx::mode
enum tls_wrap_ctx::@27 mode
Control channel wrapping mode.
tls_wrap_ctx::tls_crypt_v2_metadata
struct buffer tls_crypt_v2_metadata
Received from client.
Definition ssl_common.h:282
tls_wrap_ctx::cleanup_key_ctx
bool cleanup_key_ctx
opt.key_ctx_bi is owned by this context
Definition ssl_common.h:283
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition ssl_common.h:277
tls_wrap_ctx::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition ssl_common.h:279
tls_wrap_ctx::original_wrap_keydata
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
Definition ssl_common.h:293
es
struct env_set * es
Definition test_pkcs11.c:141
cleanup
static int cleanup(void **state)
Definition test_pkcs11.c:290
gc
struct gc_arena gc
Definition test_ssl.c:155
test_client_key
static const char * test_client_key
Definition test_tls_crypt.c:67
TLS_CRYPT_METADATA_TYPE_USER
static const uint8_t TLS_CRYPT_METADATA_TYPE_USER
Metadata contains user-specified data.
Definition tls_crypt.c:44
tls_crypt_v2_srv_pem_name
const char * tls_crypt_v2_srv_pem_name
Definition tls_crypt.c:41
tls_crypt_v2_verify_metadata
static bool tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Definition tls_crypt.c:556
tls_crypt_v2_load_client_key
static void tls_crypt_v2_load_client_key(struct key_ctx_bi *key, const struct key2 *key2, bool tls_server)
Definition tls_crypt.c:319
tls_crypt_v2_cli_pem_name
const char * tls_crypt_v2_cli_pem_name
Definition tls_crypt.c:40
TLS_CRYPT_METADATA_TYPE_TIMESTAMP
static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP
Metadata contains a 64-bit unix timestamp in network byte order.
Definition tls_crypt.c:46
tls_crypt_v2_unwrap_client_key
static bool tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, struct buffer wrapped_client_key, struct key_ctx *server_key)
Definition tls_crypt.c:444
tls_crypt_v2_wrap_client_key
static bool tls_crypt_v2_wrap_client_key(struct buffer *wkc, const struct key2 *src_key, const struct buffer *src_metadata, struct key_ctx *server_key, struct gc_arena *gc)
Definition tls_crypt.c:387
xor_key2
static void xor_key2(struct key2 *key, const struct key2 *other)
Will produce key = key XOR other.
Definition tls_crypt.c:79
tls_crypt_kt
static struct key_type tls_crypt_kt(void)
Definition tls_crypt.c:49
tls_crypt.h
Generated by doxygen 1.9.8